[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on T9000


Very briefly without having read the documentation I wrote several years ago.

The P processes are essentially sequential processes. Think a single threaded C program. The protection and relation scheme is very limited. 4 segments (think, code, stack, heap and other). These are of size 2^n and can be relocated onto a 2^n boundary. As I recall the virtual addresses are the same (apart from upper limit) for all P processes (apart from size) but can be mapped to a different physical address for each P process. There is enough mechanism that stacks can be dynamically extended (that is, the addressing scheme allows the stack segment to be extended and the instructions which alter the stack pointer (call, ajw and 1 other (?)) can be restarted after a fault. One important thing about this scheme is that the entire mapping and protection regime can be represented in four words.

The model implemented was clear and very simple. The problem David mentioned is a problem but there are others which I’ll explain when I have time - if we are talking Occam we don’t need P-processes, we can check everything. P-processes are for uncheckable (or economically uncheckable) processes. Think - I want to run a Unix program under an Occam implemented operating system.


On 23 Dec 2016, at 18:13, Larry Dickson <tjoccam@xxxxxxxxxxx> wrote:

Roger, David, and Uwe,

Thank you! I did look at the instruction set manual, and the description of the protection scheme is very clear (I’m still looking for such good descriptions in the case of the x86 and the ARM). It seems that the so-called “stub” could do the job, but the question of legality would still exist - if one was serious about the protection being maintained. It seems that the “logical” addresses talked about there are the same as “virtual” addresses in x86 etc, or am I assuming too much? Are there page tables?

David, wouldn’t it be true that any channel accessed by occam would be compiler-checkable to be legal? Could C index into a list maintained by the stub? Thanks for bringing this up, because I was focusing on the source and target data arrays. I’m wondering if pages might be swapped out, and/or if the earlier communication might check out OK and then the later process find that its side violates memory protection.


On Dec 23, 2016, at 2:46 AM, David May <dave@xxxxxxxxxxxxxxxxxxxxx> wrote:

As far as I remember, the problem is the channel addresses. Every P-process would need a set of the channel addresses it is allowed to use. These would need to be checked on every communication. 


On 22 December 2016 at 21:21, Larry Dickson <tjoccam@xxxxxxxxxxx> wrote:
Hello all,

I don’t know who to address this to, so I will ask you all. Is there someone out there who worked on the T9000 protected mode system?

and looked at the communication instructions in, out, etc. (p 95). They were all marked P (Instruction not allowed in P-process). By contrast, move was marked M (Invalid memory-address for P-process), as were ldnl, stl, stnl, etc. Thus, the latter are legal given good addresses, and the former are not legal even if addresses are good, despite the famous CSP equivalence of

b := a


chan c :
  c ! a
  c ? b

Why are the communications illegal? Was it because only one "current process” is allowed, or was it too hard to keep control over virtual memory while waiting for the second process, or was development effort too great for something which does not exist in C-language user-space? Was communication off-loaded to the L-process belonging to that P-process, or was it just not modeled?

By the way, thank you everyone who helped me to a copy of Michael Poole’s ETC paper in WoTUG-21. The book arrived, and has several other treasures besides ETC. For instance, “An optimizing multiprocessor occam system for the PowerPC” has true interrupt-level high priority, simple edge links, and even an extension of the configuration (.PGM) files!

Larry Dickson